Techniques and Tools for Secure Web Browser Extension Development

Slide Note
Embed
Share

Explore the world of web browser extensions with Rezwana Karim's research at Rutgers University, focusing on secure development techniques, extensible platforms, and the implications of vulnerable extensions on platform security. Discover the popularity and impact of browser extensions in today's digital landscape.

jac_bu
jac_bu Follow

Uploaded on Sep 08, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Techniques and Tools for Secure Web Browser Extension Development Rezwana Karim Computer Science, Rutgers University Committee: Prof. Vinod Ganapathy(Chair), Prof. Ulrich Kremer, Prof. Santosh Nagarkatte, Prof. Long Lu(Stony Brook University) PhD Defense Talk 9/8/2024

  2. Platforms with extensibility Rezwana Karim 2

  3. Web browser extension Rezwana Karim 3

  4. Extensions are everywhere Weather Watcher Gmail Manager Google Toolbar Search by Image Evernote Web Clipper Strict Workflow Video Download Helper Invisible Hand Honey Unfriend Notify for Facebook Social fixer Greasemoneky Click and Clean Firebug ESPNCricinfo Pic2Pixlr Instapaper Pocket Adblock HTTPS everywhere LastPass Rezwana Karim 4

  5. Extensions are everywhere Sensitive resources Weather Watcher Gmail Manager Google Toolbar Search by Image Network File system Evernote Web Clipper Strict Workflow Video Download Helper Invisible Hand Honey Password Preference History Cookies Camera OS Different from Web applications Unfriend Notify for Facebook Social fixer Greasemoneky Click and Clean Firebug ESPNCricinfo Pic2Pixlr Instapaper Pocket Adblock HTTPS everywhere LastPass Rezwana Karim 5

  6. Extension ecosystem Feature-rich platform Increased download Privileged API Rezwana Karim 6

  7. Popularity of browser extensions Firefox extensions in use > 53, 000 (February, 2013) >10 million users for Adblock plus > 14, 000 (July, 2015) >19 million users for Adblock plus https://addons.mozilla.org/en-US/statistics/ Rezwana Karim 7

  8. Vulnerable extensions jeopardize platform security www.evil.com Insecure Programming Practice Exploitable vulnerability [Barth et al., NDSS 10] [bhandhakavi et al., Usenix Security 10] Rezwana Karim 9

  9. Safeguard platform from vulnerable third party extensions Rezwana Karim 10

  10. Legacy extension architecture Extension Code (Web Script + Extension Script) Access sensitive resource Interact with Web pages Sensitive resources Password History Preference Network Cookies File system Web page Camera OS Extension Script: JavaScript code executing within the secure world Web Script: JavaScript code executing on the insecure web page world Rezwana Karim 11

  11. Modern extension: Layered defense architecture Principle of Least Authority (POLA) Isolation Privilege Separation Insecure World Secure World Extension Script Extension Code (Web Script + Extension Script) Web Script Access sensitive resource Interact with Web pages Manifest Sensitive resources Web page Rezwana Karim 12

  12. Defense-in-depth strategy Developer s expertise effect extension security [Karim et al., ECOOP 12] Main File Network Rezwana Karim 13

  13. Research questions How can we simplify secure extension development? How to detect security principle violations in browser extensions? How to transform a legacy vulnerable extension into a secure extension that adheres to the security principles? Analyzing the interactions with sensitive resources in extension code 14

  14. Extension Security: Solution spectrum 1) VEX [Usenix Sec 09] Key Idea: Static taint analysis 1) SABRE[ACSAC 09], Secure extensibility[Usenix Sec 10] Key Idea: Taint tracking 2) Security Signature [CGO 14] Key Idea: Information flow and API usage 2) Sentinel[DIMVA 13], IBEX[S&P 11] Key Idea: Runtime policy enforcement 1) Beacon [ECOOP 12] 2) Morpheus [ECOOP 14] Morpheus [ECOOP 14] Rezwana Karim 15

  15. Module Interaction Main Capability: Privilege to access sensitive resources var file = require( file ); file.readFile ( zipCodeFile ); . . . File var fileSystemPtr = accessToFileSystem(); exports.readFile = function readFile(fileName){ //read the content of fileName . . . // return the content . . . }; Rezwana Karim 16

  16. Research questions How can we simplify secure extension development? How to detect security principle violations in browser extensions? How to transform a legacy vulnerable extension into a secure extension that adheres to the security principles? Rezwana Karim 17

  17. Key Idea: Detect capability leaks Capability leaks through module interface leads to vulnerability Main File Network Rezwana Karim 18

  18. Capability flow analysis Static analysis of JavaScript(JS) modules Points-to analysis Information flow Taint: capability Source : privileged resource access Sink: exports interface Call graph based Context and flow insensitive Rezwana Karim 19

  19. Capability flow in object hierarchy var a = { x : object, y : { p : fileSystemPtr, z : object } } a x y p z Rezwana Karim 20

  20. Capability flow using Datalog var a ={ x : object, y:{ p: fileSystemPtr, z: object } } heapPtsTo(ha, x, hx) ptsTo(va, ha) isTainted(ha, file) a heapPtsTo(ha, y, hy) isTainted(hy, file) ptsTo(vy, hy) ptsTo(vx, hx) x y store(vy, p, vp) heapPtsTo(hy, z, hz) heapPtsTo(hy, p, hp) p z ptsTo(vp, hp) isTainted(hp, file) ptsTo(vz, hz) [Gatekeeper, Guarnieri et al., Usenix Security 09] Rezwana Karim 21

  21. Beacon: Capability flow analysis tool Rules for JS to Datalog translation Points-to rules Heap allocation Call graph generator SSA analyzer Inference engine SSA format Initial facts Capability analysis report Taint inference rules Imported module summaries 2.8k lines of Java, Datalog Tools Used : WALA, DES Rezwana Karim 22

  22. Evaluation Jetpack: Mozilla s new browser extension framework Over 600 Jetpack modules Modules from 359 Jetpack extensions 68k lines of JavaScript code Rezwana Karim 23

  23. Capability leak 36 leaks in over 600 modules 12 in vendor code Modules tabs/utils Capability Active tab, browser window and tab container Browser window Reference to the XMLHttpRequest object Entire XPCOM utility module Leak Mechanism Function return Essential yes Effect all extensions developed on top of it window-utils xhr Function return Property of this object yes no xpcom Exported property no Rezwana Karim 24

  24. Capability leaks: developer code 24 leaks in 359 extensions Not required for functionality Extension Bookmarks Deiconizer Browser Sign In Customizable Shortcut Capability Count Sensitive resource service module 1 Window, document Preference, DOM, window 2 3 Preference, window, database, observer database, stream, network 10 Firefox Share Preference, window Preference, window, database, observer IOService, favIcon Most Recent Tab Open Web Apps Recall Monkey 2 4 2 Rezwana Karim 25

  25. Accuracy: Capability leak No False Positive May miss some leaks Dynamic features Iterator, generator Unsupported JS constructs for..each, yield, case statement over a variable Unmodeled JS constructs eval, with Latent bugs Rezwana Karim 26

  26. Violation of privilege separation 26 modules in 19 extensions 27 Rezwana Karim

  27. Violation of POLA Beacon generates 18 warnings, 7 false positive Vendor module file hidden-frame tab-browser content/content-proxy content/loader content/worker keyboard/utils clipboard widget windows Privilege Directory service Timer Errors Chrome File Chrome Chrome Errors Chrome XPCOM, apiUtils Severity Moderate None None Critical Moderate Critical Critical None Critical Critical Mozilla acknowledged and removed these violations https://github.com/mozilla/addon-sdk/pull/291 Rezwana Karim 28

  28. Research questions How can we simplify secure extension development? How to detect security principle violations in browser extensions? How to transform a legacy vulnerable extension into a secure extension that adheres to the security principles? Rezwana Karim 29

  29. Legacy to modern transformation ~10000 popular legacy extensions Legacy Morpheus Modern Design Challenges Privilege Separation POLA Preserve UI Time consuming, labor-intensive Deep and clear understanding of differences between two programming models Rezwana Karim 30

  30. Challenge 1: Privilege Separation Secure/Insecure partition Partition monolithic code into isolated JavaScript modules Increase the minimum number of modules to be compromised Rezwana Karim 31

  31. Secure/Insecure world partition Static dataflow analysis to identify object s context Rewrite property access with accessor Opaque identifiers for shared objects Emulating synchronous communication over asynchronous channel Insecure contentDocument Asynchronous communication gBrowser.contentDocument Secure gBrowser .getProperty( contentDocument ) Legacy Modern Rezwana Karim 32

  32. Partition into multiple modules Main (Legacy) DisplayWeather Weather File Network Sensitive resources Rezwana Karim 33

  33. Challenge 2: Conformance to POLA Only required modules are imported No capability leak across module interface Encapsulate privileged object Exposes only accessor methods; returns Primitive values An instance of a module Generate Manifest Rezwana Karim 34

  34. Transforming legacy code Sensitive resource invoke Rewrite with require o := object( ) o is sensitive OR o is in content Rewrite with getProperty / setProperty Property access Node n in AST Expression o := object( ) o is sensitive OR o is in content Rewrite with invoke Method invoke Rewrite with require Extract User module Object Literal Rewrite with GlobalGET / GlobalSET Global access Rezwana Karim 35

  35. Core module usage Identify sensitive resource usage Replace with core module main.js var data = fileSystemPtr.read( zip.txt ); require( file ).module. invoke( read , zip.txt ); file module var file = fileSystemsPtr; var _module_ = { invoke: function(methodName, args){. . . //switch case }, . . .} exports.module = _module_; Rezwana Karim 36

  36. Extracting user module Identifies and groups related functionality into a single module main.js function readZipCodeFromFile(location){...} var Weather = { ... getWeatherData:function(zipcode){ ... return Weather.requestDataFromServe(zipcode); }, requestDataFromServer: function(zipcode){...}, } function showWeather(){ ... var temperature = Weather.getWeatherData(zipcode); ... } var Weather = require( user/Weather ).module; GlobalSET( Weather , Weather); Weather.invoke( getWeatherData , zipcode); Rezwana Karim 37

  37. Extracted Weather module Weather module var _module_ = { ... getWeatherData: function(zipcode){ return GlobalGET( Weather ).invoke ( requestDataFromServer , zipcode); }, requestDataFromServer: function(sendData){ ... } } exports.module = _module_; Rezwana Karim 38

  38. Preserve UI Analyzes legacy extension s XUL overlay file, resource URI, CSS, icons Generates JS code to dynamically modify the browser s UI var sb = document. getElemenById( sb ); sb[ onclick ]=function(){ } <statusbar id= sb onclick= alert( Hi ) > ... </statusbar> alert( Hi ); Legacy XUL code Generated JS code Rezwana Karim 39

  39. Policy checker Yes m = file p = read [ file-path ] allowed? No Yes m = network p = open [ url ] allowed? No CHECK Module: m Property: p ArgList: Yes (m, p, ) is sink violating source(m , p , ) already accessed? No Rezwana Karim 40

  40. Module level privilege computation Let, P(m) : the set of privileges that can be accessed by a module m m x : module m has direct access to sensitive resource x mi mj : module mi imports module mj mu : user module in an extension, mc : core module in an extension Module privilege is fixed at runtime Core module User module P(m) := { P(x) | m x } { P(mc) | m mc} P(m) :={ P(mc) | m mc} U Rezwana Karim 41

  41. Security analysis of transformed DisplayWeather extension Limit vulnerability effect only to compromised module Increases the minimum number of modules to be comprised file Main network password.txt Weather file network password Login Manager File Network Policy Checker Rezwana Karim 42

  42. Morpheus: Implementation 2.9k lines of JavaScript 10.5k lines implementing 100 core modules Rezwana Karim 43

  43. Evaluation Dataset Extensions developed using JavaScript, HTML, XUL, CSS 52 Legacy extensions: 50 real-world, 2 synthetic Correctness of transformation Manually exercised advertised functionality All transformed (Jetpack) extensions retains advertised functionality Rezwana Karim 44

  44. Evaluation: Conformation to POLA Capability leaks lead to POLA violation Main File Network Used Beacon to verify that no module leak reference to privileged objects [Karim et al., ECOOP 12] Rezwana Karim 45

  45. Evaluation: Effectiveness of user module extraction Privilege separation in user modules #Core modules Rezwana Karim 46

  46. Modules accessing multiple categories of core modules Categories I : Application II: Browser III: DOM IV: I/O V: Security VI: Misc. Rezwana Karim 47

  47. Runtime policy checking Policy Contact only specified remote server Access only files in profile directory as advertised Cannot access preference branch other than its own Cannot contact server if the extension has already accessed file system Cannot contact server if the extension has already accessed LoginManager Cannot contact server if the extension has access browsing history Cannot contact server if the extension has access browser cache Generic No No Yes # extensions 3 1 2 Yes 1 Yes 1 Yes 1 Yes 2 Rezwana Karim 48

  48. Limitations Plethora of privileged APIs Extensions with binary component Performance slowdown due to repeated context switches Might require Developer assistance Encoding extension-specific policy Rewriting special cases like comparison against HTMLDocument Rezwana Karim 49

  49. Summary Extension security depends on developer expertise and meticulous effort How to detect security principle violations in Web browser extensions? Beacon[ECOOP 12]: a system for capability flow analysis How to transform a vulnerable extension into a secure extension that adheres to these principles? Morpheus[ECOOP 14]: automate transformation toolchain Results acknowledged by Mozillahttps://github.com/mozilla/addon-sdk/pull/291 Rezwana Karim 50

Related


New trends in agriculture extension

New trends in agriculture extension

murphy54
Extension Teaching Methods

Extension Teaching Methods

matylda
TNAES & TNHS-Agriculture and Horticulture jobs in Tamil Nadu

TNAES & TNHS-Agriculture and Horticulture jobs in Tamil Nadu

OBCRIGHTS
Advanced Web Accessibility Tools Project Overview

Advanced Web Accessibility Tools Project Overview

shoto
Exploring Blazor: An Experimental .NET Framework for the Browser

Exploring Blazor: An Experimental .NET Framework for the Browser

aithne
Evolution of Sevier Orogeny and Cretaceous Extension in North American Cordillera

Evolution of Sevier Orogeny and Cretaceous Extension in North American Cordillera

taliesin
Evolution of Agricultural Extension Services in India

Evolution of Agricultural Extension Services in India

selia
Exploring Secure Cooperative Sharing of Resources in Web Applications

Exploring Secure Cooperative Sharing of Resources in Web Applications

eckardt_b
Browser News and Root Inclusion Process Updates

Browser News and Root Inclusion Process Updates

ruff_ler
Essential Concepts in ICT-Based Communications for Agricultural Extension Programs

Essential Concepts in ICT-Based Communications for Agricultural Extension Programs

ahil
Kuken Co. Ltd.: Leading Provider of Specialized Tools Since 1968

Kuken Co. Ltd.: Leading Provider of Specialized Tools Since 1968

paer999
Understanding How Browser Engines Work

Understanding How Browser Engines Work

euon204
Understanding Silverlight for Web Hosting Companies

Understanding Silverlight for Web Hosting Companies

decla
Understanding How Websites Work with HTML

Understanding How Websites Work with HTML

mrua
Web Security Essentials

Web Security Essentials

zdev
Advanced Programming of Web Applications with Browser APIs

Advanced Programming of Web Applications with Browser APIs

orl_van
Understanding JavaScript Core API and Browser Object Model (BOM)

Understanding JavaScript Core API and Browser Object Model (BOM)

ayme_43
Exploring the Use of Browser Extensions for Assistive Technology

Exploring the Use of Browser Extensions for Assistive Technology

lorrain
Clearing Browser Cache and Cookies: Google Chrome Edition

Clearing Browser Cache and Cookies: Google Chrome Edition

tzvi_64
Mastering Internet Research for Managers: Browser Tools and Search Techniques

Mastering Internet Research for Managers: Browser Tools and Search Techniques

ryma_k
Evolution of Mozilla: From Browser Wars to Open-Source Development

Evolution of Mozilla: From Browser Wars to Open-Source Development

meshilem
Basic Web Security Model for Secure Electronic Commerce

Basic Web Security Model for Secure Electronic Commerce

ezikiel

More Related Content